JP2016508002A - Methods for protecting the integrity of fixed-length data structures - Google Patents

Abstract

One feature relates to a mechanism for securing data structures by using computationally efficient algorithms. Multiple keys and / or masks may be pre-generated at session boot-up or initiation. An authentication code may be calculated for each data structure (eg, memory block or header block) by selecting a mask from a plurality of pre-generated key subsets and / or a plurality of pre-generated masks. The authentication code can be stored in the data structure for future verification of the integrity of the data structure. The keys and / or masks used for all authentication codes (eg, for other data structures) may be selected from the same multiple keys and / or masks during the same cycle or session.

Description

  Various features relate to the protection of data structures from attacks through the use of message authentication codes.

  Heap memory is reserved by the processor and organized through the use of metadata structures. The metadata structure may be a fixed-length data structure containing information (eg, in a header block), with respect to this information, the variable is the next partition of memory (if memory is allocated), And “has” the amount of memory reserved in the corresponding memory block. An attacker can corrupt these metadata structures to reduce the amount of free memory or to ensure that a significant portion of some data is placed in a vulnerable section of memory. I want to do so. Therefore, it is desirable to protect this metadata (eg, data structure or data in the header block of a memory block) to prevent unauthorized modification of the data structure.

  Thus, a computationally economical solution is needed to protect the data structure.

  A method for generating an authentication code is provided. A set of keys including a plurality of distinct keys is pre-generated at a processing circuit startup or at a session executed on the processing circuit. A set of masks including a plurality of separate masks is also pre-generated. The set of masks can also be pre-generated at the start-up of the processing circuit or at a session executed on the processing circuit. At least one of the set of keys and / or the set of masks may be generated based on a random value.

  A plurality of variable inputs associated with a fixed length data structure may be obtained. Each of the mask and the selected corresponding key may be selected based at least in part on at least one of the plurality of variable inputs.

  Each of the plurality of variable inputs can be combined with a selected corresponding key from a set of keys to obtain a plurality of temporary values. The multiple temporary values can then be combined to obtain an intermediate value. An operation between the intermediate value and the selected mask from the set of masks can then be performed to obtain a message authentication code for the fixed length data structure. A set of keys can be subdivided into a subset of keys, and only a subset of keys (e.g., one key, two keys, etc.) can either be used to compute a message authentication code. Selected from one subset of keys.

  At least one of the plurality of variable inputs may be a memory address associated with a fixed length data structure. Each selected corresponding key may be selected based on the memory address. The selected mask can be selected based on the memory address.

  Multiple temporary values are: (a) adding multiple temporary values to obtain combination values and / or (b) pre-selected fixed values for combination values to obtain intermediate values Can be combined by performing modulo operations with prime numbers. The value of each key in the set of keys can be between zero and a preselected fixed prime number. The operation between the intermediate value and the selected mask can be, for example, a bitwise exclusive OR operation.

  At least one of the set of masks and the set of keys may be stored in a secure memory location over a period between startups or sessions. The message authentication code may be stored in a fixed length data structure of the memory device. The message authentication code may be stored in a header block for a fixed length data structure.

  During subsequent verification stages, the previously stored message authentication code may be obtained from the data structure. The message authentication code can then be compared to the previously stored message authentication code to verify the integrity of the data structure.

  Similarly, a device comprising a memory device and processing circuitry coupled to the memory device may be provided. The memory device can serve to store a fixed length data structure. The processing circuit: (a) pre-generates a set of keys including a plurality of distinct keys at a start-up of the processing circuit or in a session executed on the processing circuit; Pre-generate, (c) get multiple variable inputs associated with a fixed-length data structure, and (d) set each key of multiple variable inputs to get multiple temporary values. Combined with the corresponding key selected from (e) combining multiple temporary values to obtain an intermediate value, and (f) intermediate value to obtain a message authentication code for a fixed length data structure. It can be configured or adapted to perform operations between selected masks from a set of masks.

  The set of masks can also be pre-generated at a processing circuit start-up or at a session executed on the processing circuit.

  At least one of the set of keys and the set of masks is generated based on a random value.

  Multiple temporary values are: (a) adding multiple temporary values to obtain combination values and / or (b) pre-selected fixed values for combination values to obtain intermediate values Can be combined by performing modulo operations with prime numbers. The value of each key in the set of keys can be between zero and a preselected fixed prime number. The operation between the intermediate value and the selected mask can be a bitwise exclusive OR operation.

  Each of the mask and the selected corresponding key is selected based on at least one of the plurality of variable inputs. At least one of the plurality of variable inputs is a memory address associated with a fixed length data structure. Each selected corresponding key is selected based on a memory address. The selected mask can be selected based on the memory address.

  A set of keys can be subdivided into a subset of keys, and only a subset of keys (e.g., one key, two keys, etc.) can either be used to compute a message authentication code. Selected from one subset of keys.

  The processing circuitry may be further adapted to store at least one of the set of masks and the set of keys in a secure memory location over a period between startups or sessions.

  The processing circuit may also be further adapted to store the message authentication code in a fixed length data structure of the memory device. The message authentication code may be stored in a header block for a fixed length data structure.

  The processing circuit may: (a) obtain a previously stored message authentication code from the data structure, and / or (b) a message authentication code that has previously stored the message authentication code to verify the integrity of the data structure. And can be further adapted to compare.

FIG. 2 is a block diagram illustrating one approach for protecting a data structure in memory having a message authentication code (MAC) using an encryption key, the encryption key being stored in a secure long-term storage device; Or randomly generated and kept in secure volatile memory whenever the relevant memory controller boots. FIG. 3 is a block diagram illustrating another approach for protecting data structures using a MAC-Lite generator that is more computationally efficient than the cryptographic MAC of FIG. FIG. 2 is a diagram illustrating an example of a MAC-Lite algorithm 302 that is more computationally efficient than the cryptographic MAC of FIG. 1 while having higher security than a cyclic redundancy check (CRC) or canary value. FIG. 6 illustrates an example of a MAC-Lite algorithm that can be implemented to generate a MAC more efficiently than a conventional MAC. FIG. 6 illustrates a general approach in which an authentication code is generated based on pre-generation of a separate set of masks and a separate set of keys. FIG. 2 is a block diagram illustrating an exemplary implementation of a device adapted to execute a MAC-Lite algorithm to secure the integrity of a data structure. FIG. 6 illustrates an example of generating an authentication code for a memory space based on pre-generation of a separate set of masks and a separate set of keys.

  In the following description, specific details are given to provide a thorough understanding of various aspects of the disclosure. However, those skilled in the art will appreciate that the embodiments may be practiced without these specific details. For example, a circuit may be shown in a block diagram to avoid obscuring aspects with unnecessary detail. In other instances, well-known circuits, structures and techniques may not be shown in detail in order not to obscure aspects of the present disclosure.

  The word “exemplary” is used herein to mean “serving as an example, instance, or illustration”. Any implementation or aspect described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other aspects of the disclosure. Similarly, the term “aspect” does not necessarily require that all aspects of the disclosure include the features, advantages, or modes of operation discussed.

Overview
One feature provides a mechanism for securing data structures by using computationally efficient algorithms. Multiple keys and / or masks may be pre-generated at session boot-up or initiation. An authentication code may be calculated for each data structure (eg, memory block or header block) by selecting a mask from a plurality of pre-generated key subsets and / or a plurality of pre-generated masks. The authentication code can be stored in the data structure for future verification of the integrity of the data structure. The keys and / or masks used for all authentication codes (eg, for other data structures) may be selected from the same multiple keys and / or masks during the same cycle or session.

  This approach is less secure than other cryptographic message authentication code (MAC) approaches, but has a slightly lower implementation cost than standard cyclic redundancy check (CRC) implementations, but more than CRC or canary values. High safety can be provided. This solution gains efficiency from knowledge of the format of the input and by using more random or pseudo-random keys than normal numbers.

Example Memory Structure with Dynamically Generated Message Authentication Code FIG. 1 is a block diagram illustrating one approach for protecting a data structure in memory with a message authentication code (MAC) using an encryption key. The encryption key is either stored in a secure long-term storage device or is randomly generated and held in secure volatile memory whenever the associated memory controller boots. The processing circuit 102 may be coupled to and / or integrated with the memory device 104 or storage device. Memory device 104 may include memory space arranged as memory blocks 114a, 114b, and / or 114c. Each memory block 114a, 114b, 114c may include header blocks 106a, 106b, and 106c and corresponding block reserved memory spaces 108a, 108b, and 108c. The header block 106 can serve to store a data structure (eg, a metadata structure).

  The processing circuit 102 may be configured to implement a MAC generator 112 that calculates a MAC 110 for each header block 106 or memory block 114 and stores such MAC 110 in each corresponding header block 106. In one example, the MAC generator (e.g., processing circuit or module) may be configured with a specific MAC algorithm 116 (e.g., hash-based message authentication code (HMAC)-secure hash algorithm 1 (SHA-1)) that has multiple rounds or iterations Advanced Encryption Standard (AES)-Cryptographic MAC (CMAC), and Data Authentication Algorithm (DAA), etc.).

  A typical MAC algorithm 116, sometimes referred to as a keyed or cryptographic hash function, receives as input a secret key 118 and an arbitrary length message 120 to be authenticated and outputs a MAC value. The MAC value allows the verifier (who also owns the private key) to detect the data integrity of the message by allowing it to detect any changes to the message content (e.g., header block 106 and / or memory block 114). As well as protecting its reliability.

  In various examples, the MAC algorithm 116 may include a memory address 122 as part of the “message” input 120, at which address the header block begins, the block allocation memory space begins, and / or that address. Specific metadata in the data structure is retained. This MAC can be stored in the data structure (in the header block 106) and can be examined whenever the data structure is read or written. In addition, the MAC algorithm 116 also includes other inputs 1 ... n 124 such as header block contents (eg, data structures stored therein) and / or commands as part of the "message" input 120. Can do. Based on at least some of the information in the corresponding header block 106a (e.g., memory address for memory block 114a or block reserved memory space 108a, size of memory block 114a or block reserved memory space 108a, etc.) Any attempt to tamper with the header block 106a, the address for the memory block 114a or the block reserved memory space 108a, and / or the size of the corresponding memory block 114a and / or the block reserved memory space 108a will be It can be detected by verifying MAC 110a.

  However, this approach has the disadvantage of being computationally uneconomical because it requires cryptographic MAC operations each time the data structure (header block 106) is accessed. Typical cryptographic MAC algorithms (eg, HMAC-SHA-1, AES-CMAC, DAA, etc.) are performed by performing multiple computationally uneconomical rounds and / or when the MAC is calculated We seek to provide greater security by generating pseudo-random mask values. As a result, typical cryptographic MAC operations are computationally intensive and can consume significant processing resources each time a cryptographic MAC is computed.

  If memory block 114 (eg, and / or data structure in corresponding header block 106) is accessed frequently, this may be the case when the data structure holds information about memory allocation, such as a heap memory structure In that case, verification of the MAC 110 may consume unacceptable processing resources.

Example memory structure with Lite message authentication code using pre-generated keys and / or masks Figure 2 uses a MAC-Lite generator that is more computationally efficient than the cryptographic MAC of Figure 1 FIG. 6 is a block diagram illustrating another technique for protecting data structures. The processing circuit 202 may be coupled to and / or integrated with the memory device 204 or storage device. The memory device 204 can include memory space arranged as memory blocks 214a, 214b, and / or 214c. Each memory block 214a, 214b, 214c may include header blocks 206a, 206b, and 206c and corresponding block reserved memory spaces 208a, 208b, and 208c. The header block 206 can serve to store a data structure (eg, a metadata structure).

  The processing circuit 202 may be configured to implement a MAC-Lite generator 212 that calculates a MAC 210 for each header block 206 or memory block 214 and stores such MAC 210 in each corresponding header block 206. In one example, the MAC generator 212 (e.g., a MAC processing circuit or module) may use a particular MAC--a plurality of startup generation keys 218 and / or startup generation masks 217 used in generating a MAC for the message input 220. The Lite algorithm 216 can be implemented.

  Multiple startup generation keys 218 and startup generation mask 217 may be used to generate a MAC during bootup or during an application session. For example, selected keys and / or masks from multiple startup generation keys 218 and / or startup generation masks 217 may be used to generate all MACs for all data structures during a cycle or session.

  In various examples, the MAC-Lite algorithm 216 can include a memory address 222 as part of the “message” input 220, at which address a header block begins, a block allocation memory space begins, and / or Specific metadata of the data structure is held at the address. At least one of the message inputs (eg, a memory address, etc.) selects a mask from the startup generation mask 217 and / or when selecting a plurality of separate one or more keys from the startup generation key 218 Can be used when The selected key and / or mask is then used to generate the MAC 210 while avoiding multiple computationally uneconomic round and / or pseudo-random mask value calculations at run time.

  In addition, the MAC algorithm 216 may also include other inputs 1... N 224 such as the contents of the header block (eg, the data structure stored therein) as part of the “message” input 220. Based on at least some of the information in the corresponding header block 206a (e.g., memory address for memory block 214a or block reserved memory space 208a, size of memory block 214a or block reserved memory space 208a, etc.) Any attempt to tamper with the address of header block 206a, memory block 214a or block reserved memory space 208a and / or the size of corresponding memory block 214a and / or block reserved memory space 208a will be It can be detected by verifying MAC 210a.

  This MAC 210 can be stored in a data structure (in header block 206) and can be examined whenever the data structure is accessed (eg, a read or write operation).

  FIG. 3 illustrates an example of a MAC-Lite algorithm 302 that has greater security than a cyclic redundancy check (CRC) or canary value, but is more computationally efficient than the cryptographic MAC of FIG. This MAC-Lite algorithm 302 may be implemented, for example, by the MAC-Lite generator 212 of FIG.

  In this approach, key set 304 and / or mask 306 can be pre-generated at boot-up and / or at startup, and then to generate a MAC for one or more memory blocks (E.g., during the entire session). For example, the plurality of keys 304k [0] [0], ..., k [n] [NK-1] may be generated randomly or pseudo-randomly (eg, may be generated based on a random or pseudo-random value) ). In this example, a plurality of keys 304k [0] [0],..., K [n] [NK-1] is a first subset of keys 306a k [0] [0],. NK-1], second subset of keys 306b k [1] [0],…, k [1] [NK-1], third subset of keys 306c k [n] [0],…, k [n] [NK-1] are grouped into a plurality of subsets 306a, 306b, and 306c. These key values should be secret and unchangeable to potential attackers.

  Similarly, multiple mask values 308 including mask [0], mask [1], ..., mask [NM-1] can be pre-generated at boot time and / or at startup, after which 1 Can be used to generate a MAC for one or more memory blocks (eg, during an entire session).

  In this example, the MAC-Lite algorithm 302 has as inputs: multiple inputs Input_1 310a, Input_2 310b, Input_n 310c, variable memory address 312, preselected or predetermined prime p 314, selected mask 316, and / or key. A plurality of selected keys 318 selected from the set 304 can be employed. In one example, the mask values 308 mask [0], mask [1],..., Mask [NM-1] may each be the same bit length as the prime number p 314. In addition, the key values k [0] [0],..., K [n] [NK-1] in the key set 304 may be between 0 and p-1 (inclusive).

  For a given memory block, the MAC may be generated using the MAC-Lite algorithm 302. The plurality of keys 318 may be selected from the set of keys 304 based on one or more indexes generated from the variable memory address 312, for example. For example, the function f and the variable memory address 312 addr can serve to generate a key index: f (addr) = key_index_0, ..., key_index_n. For example, each key index may be between the integer values 0 and NK-1. As a result, the selected key set 318 may be selected from each of the subsets 306a, 306b, and 306c of the plurality of keys 304.

  Similarly, mask 316 may be selected from a plurality of mask values 308 based on an index generated from variable memory address 312, for example. For example, the same or different function f and variable memory address 312 addr can serve to generate a mask index: f (addr) = mask_index. For example, the mask index 313 may be between the integer values 0 and NM-1. As a result, the mask 316 can be selected from a plurality of masks 308.

  Multiple selected keys 318, selected mask 316, prime number p 314, and variable memory address 312, input_1 310a, input_2 310b,..., Input_n 310c may be combined in a way that produces a MAC output that is difficult to predict. . For the memory management case, the variable memory address (addr) 312 may be, for example, a start address for a header block of a memory structure. Similarly, the plurality of other input variables input_1 310a, input_2 310b,..., Input_n 310c may be different variables in the data structure or header block. The MAC-Lite algorithm 302 can be parameterized by a prime number p 314 that can be greater than any possible individual input (eg, k [j] [i] ≦ p−1). This individual input can be determined thanks to the assumption that the input characteristics for the MAC-Lite algorithm 302 are known. As long as it is possible to efficiently map a set of possible inputs to a set of inputs that are all guaranteed to be less than the prime p 314 in bijection, this prime p 314 is It may be smaller than some possible inputs (eg, selected key 318, selected mask 316, memory address 312 and / or input 310). This also allows small inputs to be combined into one large variable. This prime p 314 can be published, but should not be changeable by the attacker.

  In alternative implementations, the input (e.g., selected key 318, selected mask 316, memory address 312 and / or input 310) can also be mapped to an arbitrary finite field GF (2 ^ by mapping the input to field elements. n) can be used to implement.

In one example, the MAC-Lite algorithm 302 can include two stages. First, the intermediate polynomial value (Val) is:
Intermediate_Val = addr * k [0] [key_index_0] +
input_1 * k [1] [key_index_1] +
input_2 * k [2] [key_index_2] +… +
input_n * k [n] [key_index_n] mod p.
Is calculated as Then the MAC value is:
MAC_value = Intermediate_Val XOR mask [mask_index]
Is calculated as In this way, the MAC-Lite algorithm 302 can generate an output MAC value 320 that is relatively safe while avoiding multiple rounds of iterative computation each time a memory block is accessed.

  FIG. 4 illustrates an example of a MAC-Lite algorithm that can be implemented to generate a MAC more efficiently than a conventional MAC. A set of keys k [0] [0],..., K [n] [NK-1] is pre-generated 402 at device or session startup or start. Similarly, a set of masks mask [0], mask [1],..., Mask [NM-1] are pre-generated 404 at device or session startup or start. A plurality of variable inputs (eg, addr, input_1, input_2,..., Input_n) associated with the data structure are obtained 406. Multiple keys from a set of keys (eg k [0] [key_index_0], k [1] [key_index_1], k [2] [key_index_2], and k [n] [key_index_n]) 408 selected from one or more. Similarly, a mask from a set of masks (eg, mask [mask_index]) is selected 410 based on one or more of the variable inputs. Intermediate values are obtained by combining each of multiple variable inputs with a corresponding selected key to obtain multiple temporary values, combining multiple temporary values, and modulo p operations to obtain intermediate values Calculated by executing 412. In various examples, each input and corresponding key can be used for logical operations, arithmetic operations (e.g., multiplication), and / or for combining two values and for obtaining a temporary value. They may be combined using other operations or functions. In one case, Intermediate_Val = addr * k [0] [key_index_0] + input_1 * k [1] [key_index_1] + input_2 * k [2] [key_index_2] +… + input_n * k [n] [key_index_n] mod p Where p is a prime number. An exclusive OR (XOR) operation may then be performed 414 between the intermediate value and the selected mask (eg, mask [mask_index]) to obtain a message authentication code (MAC).

  In one exemplary implementation, multiple keys 304 (eg, a set of keys) may be indexed (eg, selectable by key_index_x). Similarly, multiple masks 308 (eg, a set of masks) may be indexed (eg, selectable by mask_index 313). As a result, the key_index value and / or mask_index can be generated based on one of the variable inputs for the data structure. Various other ways of using variable input, alone or in combination with other information, vary depending on the variable input (e.g., it may be apparent throughout the data structure that the variable input changes) Can be used in generating The mask_index can be selected from a plurality of NM masks 308, where NM is an integer value and is used in calculating the MAC value 320. The selection of a particular mask_index 313 from among the plurality of masks 308 can be random, pseudo-random, and / or can follow some selection algorithm (eg, as a function of memory address 312). In one example, each of the masks in the plurality of masks 308 can have the same bit length as the prime number p 314.

  In one example, the plurality of keys 304 may be subdivided into subsets 306a, 306b, 306c, each having NK elements (ie, keys). Multiple key_index_x may be selected based on the same variable input or different variable inputs, similar to the selection of mask_index. For example, the length NK of the subsets 306a, 306b, and 306c of the key set 304 can be used to derive a key index value for each of the subsets 306a, 306b, 306c. For example, the selection of a particular key_index 313 (eg, key_index_1, key_index_2, ..., key_index_n) from among multiple masks 308 can be random, pseudo-random, and / or some selection algorithm (Eg, as a function of memory address 312). Preferably, the key_index into each of the subsets 306a, 306b, 306c is different to provide greater security for the attacker.

  Note that the MAC-Lite algorithm 302 can be used in a variety of different contexts, not just for memory integrity. In the case where this MAC-Lite algorithm 302 is used for memory integrity, the MAC 320 may be stored as part of the data structure in the header block for the memory block. On subsequent accesses (eg, reads or writes) to the same memory block, a MAC is generated and compared to the previously stored MAC in the header block to ensure that they are the same. If the MACs are different, it can be assumed or concluded that the memory block is at risk and the memory block can be flushed or ignored. In addition, the occurrence of a memory block at risk may also indicate that other memory structures in the memory area may be at risk. As a result, other memory blocks can be flushed and ignored, or the system can be restarted.

  FIG. 5 illustrates a general approach in which an authentication code is generated based on pre-generation of a separate set of masks and a separate set of keys. A set of keys including a plurality of distinct keys is pre-generated 502. For example, a set of keys is generated at processing circuit startup, at processing circuit boot-up, and / or at the start of a session (e.g., processing session, application session, communication session, etc.) executed on the processing circuit. obtain. In some implementations, the set of keys may be subdivided into subsets (eg, key set 304 and subsets 306a, 306b, and 306c) as illustrated in FIG. Similarly, a set of masks including separate masks is pre-generated 504. For example, a set of masks may also be generated at processing circuit startup, at processing circuit boot-up, and / or at the beginning of a session (e.g., processing session, application session, communication session, etc.) executed on the processing circuit. obtain. At least one of the set of keys and the set of masks (e.g., from a hardware random bit generator, a random number generator based on unpredictable system events, a software random number generator, a pseudo random number generator based on a seed value, etc. Can be generated based on random values. The set of keys and the set of masks can be kept secret.

  A plurality of variable inputs associated with a data structure (eg, message, memory region, data, file, transmission, header block information, etc.) may be subsequently obtained 506. In some implementations, such variable inputs may include memory addresses or data structure locations associated with the data structure.

  Each of the plurality of variable inputs may be combined 508 with a selected corresponding key from a set of keys (eg, by an arithmetic operation such as a logical operation or multiplication) to obtain a plurality of temporary values. The multiple temporary values are then combined 510 (eg, by a logical operation or an arithmetic operation such as addition, etc.) to obtain a combined value. Each of the plurality of different keys may be selected based on at least one of the plurality of variable inputs. A modulo operation may then be performed 512 on one combination value using a fixed prime number to obtain an intermediate value. In one example, the intermediate value can be calculated as the multiplication of each of the multiple variable inputs and its corresponding corresponding key to obtain multiple temporary values, and the resulting temporary values are added. And a modulo operation with a pre-selected fixed prime number may be performed. The value of each key used can be between zero and a prime number.

  An exclusive OR (XOR) operation may then be performed 514 between the intermediate value and the selected mask from the set of masks to obtain a message authentication code for the data structure. The mask may be selected based on at least one of a plurality of variable inputs (eg, a variable memory address space corresponding to the data structure). Note that in alternative implementations, different operations (eg, logical or arithmetic operations) may be employed to combine the intermediate value with the selected mask.

  The message authentication code may be stored 516 in the data structure of the memory device. In some examples, the data structure may be a fixed length data structure.

  Thereafter, when the data structure is accessed again, the previously stored message authentication code is obtained 518 from the data structure. The message authentication code can then be compared 520 with a previously stored message authentication code to verify the integrity of the data structure.

  FIG. 6 is a block diagram illustrating an exemplary implementation of a device adapted to execute a MAC-Lite algorithm to secure data structure integrity. The device can include a processing circuit 602 coupled to a separate or integrated memory device 604. Processing circuit 602 may be adapted to implement a MAC-Lite algorithm on one or more data structures 608a, 608b, 608c stored in memory device 604 to secure the integrity of the data structure. A message authentication code (MAC) generator 606 can be included.

  The MAC generator 606 can include multiple circuits and / or modules that perform one or more functions or steps of the MAC-Lite algorithm. The key pre-generation circuit / module 610 randomly or pseudo-randomizes a key set 628 containing multiple keys at the startup or boot-up of the processing circuit 602 or at the start of a session or application running on the processing circuit 602. Can be generated. Key set 628 may be stored in secure memory device 626 or in a secure location within processing circuit 602 or memory device 604. Similarly, the mask pre-generation circuit / module 612 randomly selects a set of masks 630 that includes multiple masks at startup or boot-up of the processing circuit 602 or at the start of a session or application running on the processing circuit 602. Alternatively, it can be generated pseudo-randomly. The set of masks 630 can be stored in a secure memory device 626 or in a secure location within the processing circuit 602 or memory device 604. The set of masks and / or the set of keys in the secure memory device 626 (or location) may be stored for a period between startups or between (application) sessions. As a result, the mask set and / or key set is not used for a single read / write operation or for a single memory block. Instead, it is used for all read / write operations and all memory blocks in a cycle (eg, between startups or sessions).

  When accessing a data structure for a write operation or a read operation, the key selector circuit / module 614 may determine whether the key structure is based on at least one input associated with the data structure (e.g., a variable memory address for the data structure, etc.). Multiple keys can be selected from the set 628. Similarly, the mask selector circuit / module 616 may receive from the set of masks 630 based on at least one input (e.g., a variable memory address for the data structure, etc.) or a different one or more inputs related to the data structure. A mask can be selected.

  The input and key combination circuit / module 618 can serve to combine the input with a corresponding (different) selected key (from the key selector circuit / module 614). For example, each input can be multiplied with a different selected key and the results can be added together. The modulo operator circuit / module 620 may be applied to the results from the input and key combination circuit / module 618 using a fixed prime number p 632. The mask combination circuit / module 622 can obtain the results from the modulo arithmetic circuit / module 620 and select (from the mask selector circuit / module 616) to generate a MAC-Lite value for the data structure. Applied masks can be applied.

  The MAC comparator circuit / module 624 checks the integrity of the data structure by comparing the previously stored MAC value for the data structure with the dynamically calculated MAC value (from the mask combination circuit / module 622). Can work as you want.

  FIG. 7 illustrates an example of generating an authentication code for a memory space based on pre-generation of a separate set of masks and a separate set of keys. A memory address is obtained 702 for the fixed length data structure. Multiple inputs are also obtained 704 based on information in the fixed length data structure. A different key is selected for each of the memory addresses and multiple variable inputs, where each of the different keys is selected 706 from a separate set of pre-generated keys. In one example, each of a plurality of different keys and / or masks may be selected (eg, as a function) based on a memory address. A separate set of pre-generated keys may be generated at the start-up of the processing circuit / device or at the start of a session executed on the processing circuit / device.

  The memory address is combined 708 with each of the plurality of variable inputs having the selected first key as well as the selected corresponding key to obtain an intermediate value. The intermediate value is calculated by multiplying each of a plurality of variable inputs by the corresponding key selected in addition to multiplying the memory address by the first key, and performing a modulo operation with a preselected fixed prime number. Can be done. Each key used can be between zero and a prime number.

  An exclusive OR (XOR) operation is performed 710 between the intermediate value and a mask selected from a separate set of pre-generated masks to obtain an authentication code for the fixed length data structure. A separate set of pre-generated masks may have been generated at the start-up of the processing circuit / device or at the start of a session executed on the processing circuit / device. A separate set of keys and a separate set of masks can be kept secret.

  The authentication code may then be stored 712 in a fixed length data structure. For example, the authentication code may be stored in a header block for a fixed length data structure. The memory address can correspond to the address of the header block for a fixed length data structure.

  In subsequent accesses of the fixed length data structure, its integrity can be verified by regenerating the message authentication code and comparing it to a previously stored message authentication code for the same data structure.

  One or more of the components, steps, features, and / or functions illustrated in the figures may be rearranged and / or combined into one component, step, feature, or function, or some May be embodied in the following components, steps, or functions. Additional elements, components, steps, and / or functions may also be added without departing from the present invention. The apparatus, devices, and / or components illustrated in the figures may be configured to perform one or more of the methods, features, or steps described in the figures. The algorithms described herein can also be efficiently implemented in software and / or efficiently incorporated into hardware.

  Moreover, in one aspect of the disclosure, the processing circuits 102, 202, and / or 602 illustrated in FIGS. 1, 2, and 6 may be the algorithms described in FIG. 3, FIG. 4, FIG. 5, and / or FIG. It may be a special processor (eg, an application specific integrated circuit (ASIC)) specifically designed and / or physically incorporated to perform the methods and / or steps. Thus, such a special processor (e.g., ASIC) is an example of a means for performing the algorithms, methods, and / or steps described in FIG. 3, FIG. 4, FIG. 5, and / or FIG. possible. A processor-readable storage medium may store instructions that, when executed by a special processor (eg, ASIC), cause the special processor to perform the algorithms, methods, and / or steps described herein.

  It should also be noted that aspects of the present disclosure may be described as a process which is depicted as a flowchart, flowchart, structure diagram, or block diagram. Although a flowchart can describe operations as a series of processes, many of the operations can be performed in parallel or concurrently. In addition, the order of operations may be rearranged. The process is terminated when the operation is complete. A process can correspond to a method, function, procedure, subroutine, subprogram, and the like. When the process corresponds to a function, its termination corresponds to the return of the function to the calling function or the main function.

  Moreover, the storage media can be read only memory (ROM), random access memory (RAM), magnetic disk storage media, optical storage media, flash memory devices, and / or other machine readable media for storing information, And may represent one or more devices for storing data, including processor readable media and / or computer readable media. The terms “machine-readable medium”, “computer-readable medium”, and / or “processor-readable medium” refer to portable or fixed storage devices, optical storage devices, and instructions or / and data stored, contained or carried It can include non-transitory media such as, but not limited to, various other media that can be. As such, the various methods described herein may be stored on a “machine-readable medium”, “computer-readable medium”, and / or “processor-readable medium”, and one or more processors, machines, and / or Or it may be implemented in whole or in part by instructions and / or data that may be executed by the device.

  Furthermore, aspects of the present disclosure may be implemented by hardware, software, firmware, middleware, microcode, or any combination thereof. When implemented in software, firmware, middleware or microcode, program code or code segments for performing the required tasks may be stored in a machine-readable medium such as a storage medium or other storage device. The processor can perform the necessary tasks. A code segment can represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a class, or any combination of instructions, data structures, or program statements. A code segment may be coupled to another code segment or a hardware circuit by passing and / or receiving information, data, arguments, parameters, or memory contents. Information, arguments, parameters, data, etc. may be passed, forwarded, or transmitted via any suitable means including memory sharing, message passing, token passing, network transmission, etc.

  Various illustrative logic blocks, modules, circuits, elements, and / or components described in connection with the examples disclosed herein may be general purpose processors, digital signal processors (DSPs), application specific integrated circuits ( ASIC), field programmable gate array (FPGA) or other programmable logic components, single gate or transistor logic, single hardware components, or any of these designed to perform the functions described herein Can be implemented or implemented in combination. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor is a combination of computing components, for example, a combination of a DSP and a microprocessor, several microprocessors, one or more microprocessors that cooperate with a DSP core, or any other such configuration May also be implemented.

  The methods or algorithms described in connection with the examples disclosed herein may be in the form of processing units, programming instructions, or other instructions, directly in hardware, into software modules executable by a processor, or both. It may be embodied in combination, may be contained within one device, or may be distributed across multiple devices. A software module resides in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art. May be. A storage medium may be coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor.

  Those skilled in the art will appreciate that the various illustrative logic blocks, modules, circuits, and algorithm steps described in connection with the aspects disclosed herein can be implemented as electronic hardware, computer software, or a combination of both. You will recognize further. To clearly illustrate this compatibility between hardware and software, various illustrative components, blocks, modules, circuits, and steps are generally described above in terms of their functionality. . Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system.

  Various features of the invention described herein may be implemented in different systems without departing from the invention. It should be noted that the foregoing aspects of the disclosure are merely examples and should not be construed as limiting the invention. The description of aspects of the present disclosure is meant to be illustrative and not to limit the scope of the claims. As such, the present teachings can be readily applied to other types of devices, and many alternatives, modifications, and variations will be apparent to those skilled in the art.

102 Processing circuit
104 Memory device
106 Header block
108 block memory space
110 MAC
112 MAC generator
114 memory blocks
116 MAC algorithm
118 Private key
120 Message input
122 Memory address
124 inputs
202 Processing circuit
204 Memory device
206 Header block
208 block reserved memory space
210 MAC
212 MAC generator
214 memory blocks
216 MAC-Lite algorithm
217 Startup generation mask
218 Startup key
220 Message input
222 Memory address
224 inputs
302 MAC-Lite algorithm
304 set of keys
306 mask
308 Mask value, mask
310 inputs
312 Variable memory address
314 prime p
316 mask
318 keys
320 MAC value
602 processing circuit
604 memory device
606 MAC generator
608 data structure
610 Key pre-generation circuit / module
612 Mask Pre-Generation Circuit / Module
614 Key selector circuit / module
616 Mask selector circuit / module
618 Input-key combination circuit / module
620 Modulo arithmetic circuit / module
622 Mask Combination Circuit / Module
624 MAC comparator circuit / module
626 Safe memory device
Set of 628 keys
Set of 630 masks
632 fixed prime p

Claims (38)

A method for generating an authentication code, comprising:
Pre-generating a set of keys including a plurality of distinct keys at processing circuit startup or in a session executed on said processing circuit;
Pre-generating a set of masks including a plurality of separate masks;
Obtaining a plurality of variable inputs associated with a fixed length data structure;
Combining each of the plurality of variable inputs with a selected corresponding key from the set of keys to obtain a plurality of temporary values;
Combining the plurality of temporary values to obtain an intermediate value;
Performing an operation between the intermediate value and a selected mask from the set of masks to obtain a message authentication code for the fixed length data structure.   The method of claim 1, wherein the set of masks is pre-generated at the processing circuit startup or at the session executed on the processing circuit.   The method of claim 1, wherein at least one of the set of keys and the set of masks is generated based on a random value. The plurality of temporary values are
Adding the plurality of temporary values to obtain a combination value;
The method of claim 1, wherein the intermediate value is obtained by performing a modulo operation with a pre-selected fixed prime number on the combination value.   5. The method of claim 4, wherein the value of each key in the set of keys is between zero and the preselected fixed prime number.   5. The method of claim 4, wherein the operation between the intermediate value and the selected mask is a bitwise exclusive OR operation.   The method of claim 1, wherein each of the mask and the selected corresponding key is selected based on at least one of the plurality of variable inputs.   8. The method of claim 7, wherein the at least one of the plurality of variable inputs is a memory address associated with the fixed length data structure.   9. The method of claim 8, wherein each of the selected corresponding keys is selected based on the memory address.   9. The method of claim 8, wherein the selected mask is selected based on the memory address.   The method of claim 1, wherein the set of keys is subdivided into subsets of keys, and only a subset of keys is selected from one subset of any key to calculate the message authentication code. . The method of claim 1, further comprising storing at least one of the set of masks and the set of keys in a secure memory location over a period between startups or sessions. The method of claim 1, further comprising storing the message authentication code in the fixed length data structure of a memory device.   14. The method of claim 13, wherein the message authentication code is stored in a header block for the fixed length data structure. Obtaining a previously stored message authentication code from the data structure;
The method of claim 1, further comprising comparing the message authentication code with the previously stored message authentication code to verify the integrity of the data structure. A memory device for storing a fixed length data structure;
A processing circuit coupled to the memory device, the processing circuit comprising:
Pre-generate a set of keys including a plurality of distinct keys at a processing circuit start-up or at a session executed on said processing circuit;
Pre-generate a set of masks containing multiple separate masks;
Obtaining a plurality of variable inputs associated with the fixed-length data structure;
Combining each of the plurality of variable inputs with a selected corresponding key from the set of keys to obtain a plurality of temporary values;
Combining the plurality of temporary values to obtain an intermediate value;
A processing circuit adapted to perform an operation between the intermediate value and a selected mask from the set of masks to obtain a message authentication code for the fixed length data structure. .   17. The device of claim 16, wherein the set of masks is pre-generated at the processing circuit startup or at the session that is executed on the processing circuit.   The device of claim 16, wherein at least one of the set of keys and the set of masks is generated based on a random value. The plurality of temporary values are
Adding the plurality of temporary values to obtain a combined value;
17. The device of claim 16, wherein the device is combined by performing a modulo operation with a pre-selected fixed prime number on the combination value to obtain the intermediate value.   20. The device of claim 19, wherein the value of each key in the key set is between zero and the preselected fixed prime number.   20. The device of claim 19, wherein the operation between the intermediate value and the selected mask is a bitwise exclusive OR operation.   The device of claim 16, wherein each of the mask and the selected corresponding key is selected based on at least one of the plurality of variable inputs.   23. The device of claim 22, wherein the at least one of the plurality of variable inputs is a memory address associated with the fixed length data structure.   24. The device of claim 23, wherein each of the selected corresponding keys is selected based on the memory address.   24. The device of claim 23, wherein the selected mask is selected based on the memory address.   The device of claim 16, wherein the set of keys is subdivided into a subset of keys, and only a subset of keys is selected from one subset of any key to calculate the message authentication code. . The processing circuit is
The device of claim 16, further adapted to store at least one of the set of masks and the set of keys in a secure memory location over a period between startups or sessions. The processing circuit is
The device of claim 16, further adapted to store the message authentication code in the fixed length data structure of a memory device.   30. The device of claim 28, wherein the message authentication code is stored in a header block for the fixed length data structure. The processing circuit is
Obtaining a previously stored message authentication code from the data structure;
The device of claim 16, further adapted to compare the message authentication code with the previously stored message authentication code to verify the integrity of the data structure. Means for pre-generating a set of keys including a plurality of distinct keys at processing circuit startup or at a session executed on said processing circuit;
Means for pre-generating a set of masks comprising a plurality of separate masks;
Means for obtaining a plurality of variable inputs associated with a fixed length data structure;
Means for combining each of the plurality of variable inputs with a selected corresponding key from the pre-generated key set to obtain a plurality of temporary values;
Means for combining the plurality of temporary values to obtain an intermediate value;
Means for performing an operation between the intermediate value and a selected mask from the pre-generated set of masks to obtain a message authentication code for the fixed length data structure. 32. The device of claim 31, further comprising means for storing at least one of the set of masks and the set of keys in a secure memory location over a period between startups or sessions. 32. The device of claim 31, further comprising means for storing the message authentication code in the fixed length data structure of a memory device.   34. The device of claim 33, wherein the message authentication code is stored in a header block for the fixed length data structure. Means for obtaining a previously stored message authentication code from the data structure;
32. The device of claim 31, further comprising means for comparing the message authentication code with the previously stored message authentication code to verify the integrity of the data structure. When executed by at least one processing circuit, the at least one processing circuit includes:
Pre-generating a set of keys including a plurality of distinct keys at processing circuit startup or at a session executed on said processing circuit;
Pre-generate a set of masks containing multiple separate masks;
Get multiple variable inputs associated with a fixed-length data structure,
Combining each of the plurality of variable inputs with a selected corresponding key from the set of keys to obtain a plurality of temporary values;
Combining the plurality of temporary values to obtain an intermediate value;
Perform an operation between the intermediate value and a selected mask from the set of masks to obtain a message authentication code for the fixed length data structure
A processor readable storage medium having one or more instructions. When executed by at least one processing circuit, the at least one processing circuit includes:
Storing the message authentication code in the fixed-length data structure of a memory device;
40. The processor readable storage medium of claim 36, further comprising one or more instructions. When executed by at least one processing circuit, the at least one processing circuit includes:
Obtaining a previously stored message authentication code from the data structure;
Have the message authentication code compared to the previously stored message authentication code to verify the integrity of the data structure
40. The processor readable storage medium of claim 36, further comprising one or more instructions.

Images